[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 14 November 2003 05:46, Adrian Midgley wrote: > On Friday 14 November 2003 02:39, Theo P. Zourzouvillys wrote: > > > > although, i can see no reason why you can't use client certificates for > > sending mail, > > How about SPF (Sender Permitted From) which looks a promising approach? > > mitted from: http://spf.pobox.com/ Slightly different problem. Here I wanted to allow people from a.n.other network (thanks to a certain national telecoms provider's flexible service) to send via our SMTP relay. Of course they have dynamic IP addresses :( The right way to do this is SMTP auth, and it isn't that difficult to set up really. But it would require me to rebuild sendmail (yuk) with some extra options (TLS, auth etc), or replace the entire mail set up (I'm working on that one ;), or drop in an extra server somewhere. You can get encrypted mail over SSL in about 5 seconds effort with stunnel, just leave the ssmtp section in the conf, magic up a server certificate with openssl and the editor of your choice, start stunnel, and make sure you only accept connections from IP's trusted to be relays (as your MTA sees this traffic as originating from 127.0.0.1) on port 465 <IIRC>. Stunnel can do a similar trick on POP3 if you want to avoid plaintext passwords, and keep it all encrypted over the wire (or more importantly æther <surely that doesn't exist - Einstein>). Worse some of the POP3 password schemes require the ISP to hold your password in plaintext, even if it is never sent in plaintext between server and client. Well I won't promise never to hold clients passwords in plaintext, but I won't do it on a server exposing services to the Internet, well not unless the boss gets very specific on the point. Since stunnel offers the option to verify certficates it seemed a simple quick and dirty option just to add stunnel, enable certficate verify (literally 2 lines of the stunnel config file, one to say 'how paranoid', one to say 'who to trust'), and ship a trusted certificate to anyone who should be able to relay mail. This way they don't need to remember any passwords or usernames either, as a quick fix really doesn't want to be creating management headache. Probably possible to take one of the easier to configure SMTP servers that support SMTP Auth, and make it listen on a specific port other than 25. Still in the end I put in a terrible hack that allows in theory the potential to relay mail from a small section of someone elses IP space, for as long as you send it via ssmtp to a specific port. Lets hope the spammer stay stupid for a couple of weeks till I finish deploying the new mail server, and can get down to sorting out how to apply the qmail SMTP auth patch to our already much abused copy of Qmail. Neil S try: gpg --refresh-keys waters --keyserver sks.dnsalias.net Some of the older key servers can't handle my updated key. -----BEGIN PGP SIGNATURE----- Comment: Encryption...is a powerful defensive weapon for free people. iD8DBQE/tgxgGFXfHI9FVgYRAg+pAJsEw1gpEpKST1Xakr464YrN9izGNgCgx3XG gtZ4lHy5pda3LYb+EjBGS9Q= =+a7o -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.